52 lines
1.3 KiB
Nix
52 lines
1.3 KiB
Nix
{
|
|
flake,
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}: {
|
|
# disable NetworkManager and systemd-networkd -wait-online by default
|
|
systemd.services.NetworkManager-wait-online.enable = lib.mkDefault false;
|
|
systemd.services.systemd-networkd-wait-online.enable = lib.mkDefault false;
|
|
|
|
networking.networkmanager = {
|
|
# Enable networkmanager. REMEMBER to add yourself to group in order to use nm related stuff.
|
|
enable = lib.mkDefault true;
|
|
wifi.backend = lib.mkDefault "iwd";
|
|
};
|
|
|
|
networking.firewall.enable = true;
|
|
|
|
networking.hosts = flake.self.lib.addLocalHostname ["caddy.local"];
|
|
|
|
# Caddy reverse proxy for local services like cups
|
|
services.caddy = {
|
|
# don't enable by default
|
|
globalConfig = ''
|
|
default_bind 127.0.0.1
|
|
auto_https off
|
|
'';
|
|
};
|
|
|
|
# For rage encryption, all hosts need a ssh key pair
|
|
services.openssh = {
|
|
enable = true;
|
|
allowSFTP = false;
|
|
|
|
# If you don't want the host to have SSH actually opened up to the net,
|
|
# set `services.openssh.openFirewall` to false in your config.
|
|
openFirewall = true;
|
|
|
|
settings.PasswordAuthentication = lib.mkDefault false;
|
|
settings.KbdInteractiveAuthentication = false;
|
|
|
|
extraConfig = ''
|
|
AllowTcpForwarding yes
|
|
X11Forwarding no
|
|
AllowAgentForwarding no
|
|
AllowStreamLocalForwarding no
|
|
AuthenticationMethods publickey
|
|
'';
|
|
};
|
|
}
|